Monday, June 25, 2012

Risk Stats V2

Ok - I spent some time with techs in the field this week and found they really need more data about the hosts when working with risk & scans.

So I created XMLVulnStatsV2 this adds in the following columns to the table that may be helpful data about the hosts in addition to the IP address.

The output table now includes

FQDN

OS

Mac Address

Scan Start Time

For all the techs looking for a quick view of the set of scans they have conducted this is it.

Additional data on the core source is below.

---

The first version of the script XMLVulnStats.java will work from a .nessus file or multiple .nessus files and give you the following summery data - this script requires Excel to do some of the front end math. Due to the use of Excel the impact levels can be modified after the fact to gain more accurate results.

The command-line works as follows: java XMLVulnStats Output.xls *.nessus

The output will be a table with the following columns

IP Address

Total CVSS Count - This totals the CVSS score for all Vulns on the Host

Critical Count

High Count

Medium Count

Low Count

None Count

Host Criticality - Adjustable figure between 100-1000 ranking hosts

Risk Score - Total CVSS * Host Criticality

Total Vuln - Total of Critical, High, Med, Low Vulns

Average CVSS

Additionally you will get an Average System Risk Level calculation based on the averages for all hosts.

Note that you will need to set the Host Criticality for your system after the script is run based on system knowledge. In the Federal / NIST space I have been using a spread based on the FIPS 199 level (i.e. if its a moderate system hosts are ranked between 400-600 based on impact, workstations 400, domain controllers 600, etc)